Perception is Reality?

February 9th, 2009

A guy I used to work for in the infosec field (of course) was always telling me that “perception is reality”. In his eyes, you could win the political game within our company by simply putting up a good front. Even if we were totally screwed up within the infosec group, or didn’t know what was going on with a project, or didn’t have a plan, we could create the illusion of competence by proactively bombarding people with information, acting a little smug and pompous, and berating other people for not caring about security (dammit!)

Was this a sound strategy? No, this guy was generally a boob and I worked for him only a short time. However, it really did get me thinking about a few ways to interpret this in the infosec space.

Just because someone talks a good game does not mean they know what the f*** they are talking about. Frankly, I personally believe that a number of the people floating around in the “blogosphere” who are billing themselves as “security experts” should STFU. However, many people seem to feel that “they blog, therefore they have kung fu”. Perception, at least for the unwashed masses, is reality. Because you’ll never KNOW whether that cool blog guy actually has kung fu or not. And he knows it.

A more global one this time. Do you think that most consumers inherently believe that their data is safe with companies who have it? Or the opposite? I think most people just sort of trust that their data is safe. And then when there’s a data breach, the company apologizes, and we all think “oh, well, they’ll just get BACK to being secure and all will be well.” Hmmmm.

Let’s focus on #2 (#1 was pure rant). I had the pleasure of meeting and speaking with Michael Santarcangelo of Security Catalyst about two weeks ago. He and I had lots in common, and hit it off well. One major point we agree upon was the total lack of outrage (in other words, the general complacency) of the populace WRT data breaches and data security overall. TJX loses 90 million people’s data, and people are still shopping there with no issues at all. Did they actually lose any customers? What about all the other breaches? Does anyone really care? Who really feels the pain? Who assumes the liability here?

OK, OK, I know this is sounding like a rant here, too, but really it’s just a question of whether people’s skewed perception of data security (it’s not that big a deal) in essence leads to the reality that it ISN’T that big a deal. This runs counter to all the ranting we do as security people, and of course no one will ADMIT that losing data might not really have long-term impacts at the moment. I’m certainly not saying we should give up the fight. And this doesn’t apply to data like sensitive intellectual property, health data, etc. Mostly payment card data, which can almost be considered ephemeral in some senses. But I ask – does perception equal reality in this case? Why or why not?

Few quick thoughts before I get on a plane.
Yes, perception is reality in this case. You have a few factors at play. 1) 80-90% of folks don’t truly understand the issue or what happened. Not really, not in their gut.
2) CC breaches are not their end user’s liability. They just get a new card number and the CC issuer eats the loss.
3) We’ve become desensitized to data breaches. It’s happening too often, and now there is a thought that it is unavoidable, and just a risk to mitigate and respond to, rather than one to avoid completely.